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IN THE DRAWINGS: 



Please substitute the attached Figures 1 through 7 for the Figures originally submitted 
with the instant Application. Applicant has formalized the drawings, but has not introduced any 
new matter. 
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Application Address Space (Notepad.exe) 
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Kernel32 .dll 

80000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ yy. 

80000010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 @ 

80000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

800000C0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 PE..L. 

800000DO 32 2C 30 3F 00 00 00 00 00 00 00 00 E0 00 0E 23 2,0? a..# 

800000EO 0B 01 05 0C 00 8C 05 00 00 78 05 00 00 00 00 00 <E. . .x 



Code for Create Fi I eA 



80000A32 
80000A33 
80000A35 
80000A38 
80000A3D 
80000A3F 
80000A41 
80000A44 
80000A46 
80000A49 
80000A4C 
80000A4F 
80000A52 
80000A55 
80000A58 
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mov 
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call 
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push 
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ebp.esp 
dword ptr [ebp+8] 
800092C5 
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dword ptr 



80009123 
eax.OFFFFFFFFh 
800091 3D 

ebp+20h 

ebp+1Ch; 

ebp+18h 

ebp+14h 

ebp+10h 

ebp+OCh 

eax+4] 



Application Instance Handle and Code (Import Table) 

00400000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ yy. 

00400010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 , @ 

00400020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

004000DO 50 45 00 00 4C 01 05 00 0C 22 CC 3F 00 00 00 00 PE . . L. . . . " I? . . . 

004000EO 00 00 00 00 E0 00 0E 01 0B 01 06 00 00 10 02 00 ....a 

0O400OF0 00 AO 00 00 00 00 00 00 FO 10 00 00 00 10 00 00 6 
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0042A150 

0042A160 
0042A170 

0042A1B0 
0042A1CO 
0042A1DO 

0042A26C 
0042A27C 
0042A2 8C 



32 OA 80 80 78 09 59 7C BC 69 59 7C 9D 6C 59 7C 
7B OB 59 7C 1C 68 59 7C D6 F5 57 7C 77 87 57 7C 
9C 62 58 7C 94 B5 57 7C C4 F7 57 7C 09 OB 59 7C 
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{ . Y| .hYl 05W|w*W| 
cebX w /iW A-s-W .Y 



4D 7E 57 7C 25 6E 59 7C AC OB 59 7C C4 F4 58 7C 

62 F4 58 7C D3 C7 FC 77 IE E7 58 7C 4A EA F8 77 

45 82 57 7C BA DD 5A 7C Bl 7C 59 7C OF 7C 59 7C 

00 00 00 00 2E 00 43 6C 6F 73 65 48 61 6E 64 6C 

65 00 4D 00 43 72 65 61 74 65 46 69 6C 65 41 00 

4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 77 01 
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Executable Code - Create File Call 

85: HANDLE hFile=CreateFile("c:\\test.txt",GENERIC_WRITE|GENERIC_READ, 
^ NULL, CREATE_ALWAYS.O, NULL); 

0040D6F8 mov esi.esp 
0040D6FA push 0 
0040D6FC push 0 
0040D6FE push 2 
0040D700 push 0 
0040D702 push 0 
0040D704 push OCOOOOOOOh 
0040D709 push offset string "c:\\test.txt" (00422fe8) 
0040D70E call dword ptr [_imp__CreateFileA@28 (0042a1 50)] 
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A pplication Address Space - Notepad.exe 



Kemel32.dll 

80000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ yy. . 

80000010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 , @ 

80000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

800000CO 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 PE..L... 

800000D0 32 2C 30 3F 00 00 00 00 00 00 00 00 E0 00 0E 23 2,0? a..# 

800000E0 0B 01 05 OC 00 8C 05 00 00 78 05 00 00 00 00 00 CE...X 



Code for CreateFileA 
80000A32 push ebp 
80000A33 mov ebp.esp 
80000A35 push dword ptr [ebp+8] 
80000A38 call 800092C5 



Impersonation DLL 

20000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ. 

20000010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ... 

20000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
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HANDLE WINAPI MyCreateFile(LPCSTR IpFileName, DWORD dwDesiredAccess, 
DWORD dwShareMode, LPSECURITY.ATTRIBUTES IpSecurityAttributes, 
DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, 
HANDLE hTemplateFile){ 



200000D8 push 

200000D9 mov 
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200000D9 push 

200000E1 push 

200000E4 push 
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200000F8 repstos dword ptr [edi] 



Application Instance Handle and Code (Import Table) 
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Executable Code - Create File Call 

85: HANDLE hFile=CreateFile( n c:\\testtxr,GENERIC WRITEIGENERIC READ, 0, 

NU LL,CREATE_ALWAYS t 0, N UlL); 

0040D6F8 mov esi.esp 
0040D6FA push 0 
0040D6FC push 0 
0040D6FE push 2 
0040D700 push 0 
0040D702 push 0 
0040D704 push OCOOOOOOOh 
0040D709 push offset string "c:\\test.txT (00422fe8) 
0040D70E call dword ptr L_imp_CreateFileA@28 (0042a 150)] 
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Sart Windows 
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Create document window 
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Encrypt file contents 
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